Merge pull request #117 from facebook/linux-processes-vtable

[vtables] Processes table for Linux (procps3)
2024-11-07 18:08:53 +00:00 · 2014-09-09 14:43:26 -07:00 · 2014-09-09 14:43:26 -07:00 · bfba3d491d
commit bfba3d491d
parent d4c7673011 2bcd89d70f
7 changed files with 150 additions and 11 deletions
--- a/osquery/filesystem.h
+++ b/osquery/filesystem.h
@ -21,6 +21,12 @@ namespace fs {
 // failure of the operation.
 osquery::Status readFile(const std::string& path, std::string& content);

+// pathExists returns an OSquery-standard tri-state for reporting disk 
+// presense. (-1) no input was supplied, assuming the caller is not aware
+// of how to check path-getter results; (0) path does not exist on disk;
+// (1) path does exist on disk.
+osquery::Status pathExists(const std::string& path);
+
 // listFilesInDirectory accepts a const reference to an std::string indicating
 // the path of the directory that you'd like to list and a non-const reference
 // to an std::vector<std::string> which will be populated with the contents of
--- a/osquery/filesystem/filesystem.cpp
+++ b/osquery/filesystem/filesystem.cpp
@ -53,6 +53,18 @@ cleanup:
  return Status(statusCode, statusMessage);
 }

+Status pathExists(const std::string& path) {
+  if (path.length() == 0) {
+    return Status(0, "-1");
+  }
+
+  // A tri-state determination of presence
+  if (!boost::filesystem::exists(path)) {
+    return Status(0, "0");
+  }
+  return Status(0, "1");
+}
+
 Status listFilesInDirectory(const std::string& path,
                            std::vector<std::string>& results) {
  try {
--- a/osquery/tables/CMakeLists.txt
+++ b/osquery/tables/CMakeLists.txt
@ -26,7 +26,7 @@ if(APPLE)
    system/darwin/kextstat.cpp
    system/darwin/launchd.cpp
    system/darwin/nvram.cpp
-    system/processes.cpp
+    system/darwin/processes.cpp
    system/last.cpp
  )

@ -39,8 +39,10 @@ if(APPLE)
 else()
  ADD_LIBRARY(osquery_tables_linux OBJECT
    system/linux/kernel_modules.cpp
+    system/linux/processes.cpp
  )

+  ADD_OSQUERY_LINK("procps")
  SET_OSQUERY_COMPILE(osquery_tables_linux)

  LIST(APPEND OSQUERY_CORE_TABLE_TARGETS $<TARGET_OBJECTS:osquery_tables_linux>)
--- a/osquery/tables/specs/darwin/processes.table
+++ b/osquery/tables/specs/darwin/processes.table
@ -12,4 +12,4 @@ schema([
    Column(name="start_time", type="std::string"),
    Column(name="parent", type="int"),
 ])
-implementation("osquery/tables/system/processes@genProcesses")
+implementation("osquery/tables/system/darwin/processes@genProcesses")
--- a/osquery/tables/specs/linux/processes.table
+++ b/osquery/tables/specs/linux/processes.table
@ -0,0 +1,15 @@
+table_name("processes")
+schema([
+    Column(name="name", type="std::string"),
+    Column(name="path", type="std::string"),
+    Column(name="cmdline", type="std::string"),
+    Column(name="pid", type="int"),
+    Column(name="on_disk", type="std::string"),
+    Column(name="resident_size", type="std::string"),
+    Column(name="phys_footprint", type="std::string"),
+    Column(name="user_time", type="std::string"),
+    Column(name="system_time", type="std::string"),
+    Column(name="start_time", type="std::string"),
+    Column(name="parent", type="int"),
+])
+implementation("osquery/tables/system/linux/processes@genProcesses")
--- a/osquery/tables/system/darwin/processes.cpp
+++ b/osquery/tables/system/darwin/processes.cpp
@ -16,6 +16,7 @@

 #include "osquery/core.h"
 #include "osquery/database.h"
+#include "osquery/filesystem.h"

 using namespace osquery::core;
 using namespace osquery::db;
@ -97,15 +98,7 @@ QueryData genProcesses() {
    char path[PROC_PIDPATHINFO_MAXSIZE];
    proc_pidpath(pids[i], path, sizeof(path));
    r["path"] = std::string(path);
-    if ((r["path"]).length() > 0) {
-      if (!boost::filesystem::exists(r["path"])) {
-        r["on_disk"] = "0";
-      } else {
-        r["on_disk"] = "1";
-      }
-    } else {
-      r["on_disk"] = "-1";
-    }
+    r["on_disk"] = osquery::fs::pathExists(r["path"]).toString();

    // systems usage and time information
    struct rusage_info_v2 rusage_info_data;
--- a/osquery/tables/system/linux/processes.cpp
+++ b/osquery/tables/system/linux/processes.cpp
@ -0,0 +1,111 @@
+// Copyright 2004-present Facebook. All Rights Reserved.
+
+#include <string>
+#include <fstream>
+#include <streambuf>
+#include <sstream>
+
+#include <stdlib.h>
+#include <unistd.h>
+#include <proc/readproc.h>
+
+#include <boost/lexical_cast.hpp>
+
+#include "osquery/core.h"
+#include "osquery/database.h"
+#include "osquery/filesystem.h"
+
+using namespace osquery::core;
+using namespace osquery::db;
+
+namespace osquery {
+namespace tables {
+
+#define PROC_SELECTS                                                 \
+  PROC_FILLCOM | PROC_EDITCMDLCVT | PROC_FILLMEM | PROC_FILLSTATUS | \
+      PROC_FILLSTAT
+
+std::string proc_name(const proc_t* proc_info) {
+  char cmd[17];  // cmd is a 16 char buffer
+
+  memset(cmd, 0, 17);
+  memcpy(cmd, proc_info->cmd, 16);
+  return std::string(cmd);
+}
+
+std::string proc_attr(const std::string& attr, const proc_t* proc_info) {
+  std::stringstream filename;
+
+  filename << "/proc/" << proc_info->tid << "/" << attr;
+  return filename.str();
+}
+
+std::string proc_cmdline(const proc_t* proc_info) {
+  std::string attr;
+  std::string result;
+
+  attr = proc_attr("cmdline", proc_info);
+  std::ifstream fd(attr, std::ios::in | std::ios::binary);
+  if (fd) {
+    result = std::string(std::istreambuf_iterator<char>(fd),
+                         std::istreambuf_iterator<char>());
+  }
+
+  return result;
+}
+
+std::string proc_link(const proc_t* proc_info) {
+  std::string attr;
+  std::string result;
+  char* link_path;
+  long path_max;
+  int bytes;
+
+  // The exe is a symlink to the binary on-disk.
+  attr = proc_attr("exe", proc_info);
+  path_max = pathconf(attr.c_str(), _PC_PATH_MAX);
+  link_path = (char*)malloc(path_max);
+
+  memset(link_path, 0, path_max);
+  bytes = readlink(attr.c_str(), link_path, path_max);
+  if (bytes >= 0) {
+    result = std::string(link_path);
+  }
+
+  free(link_path);
+  return result;
+}
+
+QueryData genProcesses() {
+  QueryData results;
+
+  proc_t* proc_info;
+  PROCTAB* proc = openproc(PROC_SELECTS);
+
+  // Populate proc struc for each process.
+  while (proc_info = readproc(proc, NULL)) {
+    Row r;
+
+    r["pid"] = boost::lexical_cast<std::string>(proc_info->tid);
+    r["name"] = proc_name(proc_info);
+    r["cmdline"] = proc_cmdline(proc_info);
+    r["path"] = proc_link(proc_info);
+    r["on_disk"] = osquery::fs::pathExists(r["path"]).toString();
+
+    r["resident_size"] = boost::lexical_cast<std::string>(proc_info->vm_rss);
+    r["phys_footprint"] = boost::lexical_cast<std::string>(proc_info->vm_size);
+    r["user_time"] = boost::lexical_cast<std::string>(proc_info->utime);
+    r["system_time"] = boost::lexical_cast<std::string>(proc_info->stime);
+    r["start_time"] = boost::lexical_cast<std::string>(proc_info->start_time);
+    r["parent"] = boost::lexical_cast<std::string>(proc_info->ppid);
+
+    results.push_back(r);
+    freeproc(proc_info);
+  }
+
+  closeproc(proc);
+
+  return results;
+}
+}
+}